Thanks to major changes to built-in firewall software, admins need to give the upcoming service pack a trial run now or face tribulation later.

If you've spent any time on the Microsoft Web site or in newsgroups lately, you've probably already heard the buzz about the upcoming Service Pack release for Windows XP. Service Pack 2 is a major release and the culmination of a huge amount of software updates and security improvements. Even though the update is still in Release Candidate format, if you're a Windows administrator who's responsible for maintaining XP machines, get your hands on a copy and install it on a test machine post-haste. The "preview version" can be downloaded from www.microsoft.com/SP2Preview.

Why the big rush? Because there are major changes at work here -- especially to the built-in firewall software -- that will at the very least require you to examine your current administration procedures. You should also check out your production applications to make sure that they all still behave the way you expect them to, especially if they communicate across a network in either a peer-to-peer or client-server format.

The Internet Connection Firewall (ICF) has been renamed the Windows Firewall, and is now enabled by default on all new installations. This means that XP will automatically drop any inbound traffic that wasn't specifically requested by the workstation. You'll hear router and firewall gurus refer to this as a "stateful firewall," because it bases its decisions on the status of any open connections that were initiated by the workstation.

The Windows Firewall is also enabled earlier in the boot-up process than ICF. This means that every administrator who installed a new machine -- only to have Blaster infect it before they got to Windows Update -- can breathe a sigh of relief: The firewall is now active before the workstation ever "sets foot" on the network. Don't panic, though; there's a special startup policy that will still allow your clients to get to your domain controllers, DHCP and DNS servers while they're booting.

So, this sounds like a great idea, right? Unfortunately, these firewall changes do create a bit of a concern for network administrators in a domain configuration. With the Windows Firewall enabled, your XP workstations no longer will be able to function as a server, meaning that any unsolicited network requests simply will be dropped. "So what?" you may think, "Any unsolicited network requests to a workstation could only be a virus or a worm anyway!" Not necessarily. Think about any time that you've needed to connect to a workstation to do troubleshooting or preventative maintenance. How did you do it?

The Computer Management MMC's "connect to a remote computer" function

Remote desktop

The hidden C$/D$ administrative shares on your XP hard drives

In each of these cases, the XP workstation you're trying to connect to is acting (you guessed it) as a server. And with the Windows Firewall turned on, any of these connection attempts will be dropped automatically.

What's an administrator to do?

Enter: the new Group Policy settings for configuring the Windows Firewall. Instead of the old world of only being able to disable ICF via GPO, you can now:

Define a consistent firewall configuration profile for all of your domain clients

Determine whether specific executables can be permitted to pass through the firewall

Start the conversation

0 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.